A secure way to transport the password and authentic without DB

0 投票
最新提问 用户: (2.7k 分)

I'm making a system which need password to enter and now my plan is make a form with only password input (since I only need on password) and then use post to authentic the password then update PHP session to logged_in but I know that the value won't show on post method but I don't really know is that secure and since it's a HTML form I don't know is there any way to encrypt/hash the input, though I have HTTPS connection and also forcing it I don't know will the password be hacked and is my method Secure

发表于 用户: (100 分)
If the form is submitted via https, you do not need any more steps to be safe (enough). Just read it from $_POST and match against the db. Otherwise, please elaborate why this is not secure enough
发表于 用户: (2.7k 分)
I'm asking b/c though I use HTTPS I'm not sure if attacker can access the data I send via POST method
发表于 用户: (100 分)
Which attacker? For most use-cases, https will do just fine. If you have super special, extremely sensitive data, you can reconsider. Also have you thought about implementing two factor authentication (eg via Auth app on the smartphone)? Then it wouldn't matter if an attacker accessed the password or not
发表于 用户: (2.7k 分)
Thanks The data I'm protecting may contain some personal data and I'll go to find some code for two factor authentication

2 个回答

0 投票
最新回答 用户: (140 分)

Of course your method won't be safe. Did you think with only html you can secure your code? The answer is no. Even if you add javascript your code will be wide open for attacks so What I recommend is to add one real language which can interact with the database.

发表于 用户: (2.7k 分)
but since I only need one password and no username I think I don't want to touch DB since I'm not familiar to SQL
发表于 用户: (140 分)
ok @Andrew I understand what you mean but let's think about it. You only need a password to log in but where will you check if that password already exists or not. That would be a problem because a person can enter many times with different passwords. Then again if you want to store the password in a session that would be fine but as soon the session would be destroyed so would be the password.
发表于 用户: (2.7k 分)
OK now I'm using this system for private use and we use password is only for not being access by other people so we only need one password to access which is known by all the people in our private organisation and also sorry for not saying the question clear the main part I'm asking can the attacker see the data I send via POST method even I'm using/forcing HTTPS conection
0 投票
最新回答 用户: (420 分)

If you want to be as safe as possible here is what I suggest :

Hash the password a first time in javascript using this : https://github.com/emn178/js-sha256/blob/master/src/sha256.js

The password has to be sent through an https connection of course.

On server-side when you receive the password, hash it again in sha256 (or another algorithm, it doesn't matter, but sha256 is safe and relatively fast to compute) and compare it with a local file containing the password hashed 2 times

To recap : hash in javascript -> send through https -> hash on the server -> compare with the local file containing the double-hash

The hash in javascript is just here because if a potential attacker performs a MITM, he will be able (under some conditions) to see the hash but not the original password, so even if he will be able to authenticate on your service with that hash, he will not be able to retrieve the real password (which might be used on other websites/services)

Moreover if you're being paranoiac, you can salt your password to prevent any bruteforce using rainbow tables

发表于 用户: (2.7k 分)
But in this case will the attacker see the script and find out our hash algorithm than crack it?
发表于 用户: (420 分)
You can't crack an hash algorithm, it's a one-way function, you can just bruteforce it
发表于 用户: (2.7k 分)
So, If you hash the password somebody may attack and know the hash and may be able to login to my service by that hash but not knowing the real password, if yes I want to announce that in this case my service may contain personal information and I wanted to be full secure. So if I use hash and custom salt even the attacker get the hash which was generate by both sha256 and custom salt the attacker can't authentic the service by that hash right. Since the password for authentic won't be used in other service so my main mission is to promise that the attacker can't authentic in any way.
发表于 用户: (420 分)
I think you are misunderstanding what a hash is, a hash can't be revert ! So if you compare the hash server side, even if the attacker has the hash he will not be able to log in ( en.wikipedia.org/wiki/Cryptographic_hash_function )
发表于 用户: (2.7k 分)
But you said the attacker can authentic by the hash he get without getting the real password so I want to make sure there isn't any possibility to authentic neither he know the real password or only the hash if I misunderstood anything please point out since I'm a starter on security part
欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...